chkrootkit looks for known "signatures" in trojaned system
binaries. For example, some trojaned versions of ps
have "/dev/ptyp" inside them.

Obviously an attacker can easily modify the rootkit sources
to change its signatures and avoid chkrootkit detection. See
next question.

Can chkrootkit detect modified (or new)
rootkit versions?

If chkrootkit can't find a known signature inside a file, it
can't automatically determine if it has been
trojaned. Try to run chkrootkit in expert mode (-x
option) -- in this mode the user can examine suspicious strings
in the binary programs that may indicate a trojan.

For example, lots of data can be seen with:

# ./chkrootkit -x | more

Pathnames inside system commands:

# ./chkrootkit -x | egrep '^/'

Why haven't you written chkrootkit in
Perl?

Not all systems have Perl available. The motivation was to
write a simple tool that could be run in systems with minimal
installation.

Use the `-p path' option to supply an alternate
path to binaries you trust:

# ./chkrootkit -p /cdrom/bin

Mount the compromised machine's disk on a machine you
trust and specify a new rootdir with the `-r
rootdir' option:

# ./chkrootkit -r /mnt

How accurate is chkproc?

If you run chkproc on a server that runs lots of short
time processes it could report some false positives.
chkproc compares the ps output with the
/proc contents. If processes are created/killed during
this operation chkproc could point out these PIDs as
suspicious.